Explored a bit and sent the guy an email at the whois address of another domain that seems in his possession. The email address in scripterous.com seems broken. root@localhost doesn't seem to get read.<p>Hi,<p>Your site scripterous.com is a security leak for your server. I was able to kill web server processes, investigate your server, and generally do things I shouldn't be able to do. A denial of service attack would be easy by constantly killing the web server and if there was a local root exploit (which I didn't look for) I could have executed that as well.<p>I wanted to send an email to the root account on the server, but it doesn't seem to get read.<p>You can view a bit more of the discussion on the security implications at <a href="http://news.ycombinator.com/item?id=827500" rel="nofollow">http://news.ycombinator.com/item?id=827500</a> (Despite the name and the subject we're discussing, that site is normally not about this kind of hacking.)<p>Your site is an interesting concept and it would definitely be interesting to have it around. Nonetheless I fear that the concept of the site is the cause of the security leaks. I'm not a security expert, but it is my opinion that it's not possible to make a site like this secure, without reimplementing PHP.<p>Best regards,<p>[Real name omitted, because I don't want this nick name to show up when people search my real name.]
Well, that is what I get for uploading and old project without taking in some consideration on it. Thank you to lucumo for the head's up on this and the rest of your for your exploits. Things should be a bit more secure now.
Online Python emulator: <a href="http://live.codenode.org" rel="nofollow">http://live.codenode.org</a> (uses Google App Engine to execute the code). Screenshots and docs on the homepage here: <a href="http://codenode.org" rel="nofollow">http://codenode.org</a>
<a href="http://codepad.org/" rel="nofollow">http://codepad.org/</a> is pretty similar, it can do lots of other languages though as well like C, C++, Python...
I've been using something similar for a while but you download it and run it locally (hopefully):<p><a href="http://www.hping.org/phpinteractive/" rel="nofollow">http://www.hping.org/phpinteractive/</a>
It's not just an emulator, it's running real, full PHP (try PHPINFO).<p>Not in safe-mode, also running eaccelerator.
It will be cracked within a week, I am sure.<p><pre><code> $handle = opendir('.');
while (false !== ($file = readdir($handle))) {echo "$file\n";}</code></pre>
You can see some warning at the top of the page...<p>Warning (512): Cache not configured properly. Please check Cache::config(); in APP/config/core.php [CORE/cake/libs/configure.php, line 663]<p>Warning (2): array_merge() [function.array-merge]: Argument #1 is not an array [CORE/cake/libs/configure.php, line 684]<p>Warning (2): array_merge() [function.array-merge]: Argument #1 is not an array [CORE/cake/libs/configure.php, line 691]<p>...